Reply to thread

Message

HOW TO REMOVE MALWARE (Virus/Trojans/Spyware & some rootkits)

HOW TO REMOVE MALWARE (Virus/Trojans/Spyware & some rootkits)

HOW TO REMOVE MALWARE - INTRODUCTION (using 110% free tools, OR ones you have in your OS already natively, to remove malware infestations of ANY kind HOW TO):

NOW, after ALL of the above? IF you do find yourself "infested" though, one day??

(Which is going to RARE (if @ all) - Usually, after the above set of steps you can use to secure yourselves, the ONLY way you usually can be reinfected, is to click & run a bogus email attachment, OR, by turning on Javascript & IFrames for instance! (or, allowing shockwave or a bum ActiveX control to run) OR, via a vulnerability in your applications OR Operating System that needs patching (I note this in the init. post of this thread in fact in this latter point now)).

YES - It happens! Far more rarely than it had before (using a buddy of mine Jack as an example in fact - I chose him as a tester because he was nearly constantly infested is why & this all worked for he, until he violated javascript usage rules I mentioned above).

E.G.-> I have had users violate that/those "rule(s)" from above & that was how they were reinfected - BUT, one tester of mine DEFINITELY gets infected FAR LESS than he used to, by applying the above... this is certain!

I.E.-> I have had this setup running Windows Server 2003 (SP#2, fully hotfix patched & hardened per the above as of this date) since early 2003, running "110% bulletproof & bugfree" because of following the rules & suggestions noted above!

ANYHOW - Malware infested? TRY THIS SET OF TOOLS & TECHNIQUES:

How to clean yourself up?

This "toolkit" & process has helped me get thru over a 1,000 spyware/virus clean up calls, & hopefully? It will yourself, as well, so... here goes:

==========

1.) Reboot your system to F8 @ startup "Windows Advanced Options" bootup menu that stops you during the boot sequence.

----

2.) There, choose "safemode with networking" (via the "Windows Advanced Options" menu you get presented with while tapping the F8 key repeatedly @ system startup).

----

3.) Once in safemode with networking Windows, download/install & RUN these tools (they are not much to look at, BUT, they do work on MOST threats today & get regularly updated):

a. Run IE, use its TOOLS menu, Manage Addons Submenu, & turn off ANY BHO etc. objects that you do NOT absolutely NEED, or know what they are (many malwares in the form of bogus toolbars or BHO (browser helper objects) often hide here).

ALSO, GREAT NEW POINT EDITED IN NOW (01/13/2008) per Delightus14 @ Neowin forums: ALSO CLEAN OUT YOUR WEBBROWER CACHES & %temp/tmp% temp. ops locations so no maladies exist there also awaiting re-awakening by accident

You do this via Internet Explorer (using IE as an example, it is the same idea in Opera/FireFox/Netscape/Mozilla etc. too) via its Tools menu, Internet Options submenu, & on IE options screen, use the "Browsing History" group in IE7, & delete things as necessary from IE's browser caches etc. & for OS + app level %temp% & %tmp% environmental values' areas? Type SET @ a DOS prompt to see where you located those, & burn their contents via DEL commands, OR via explorer.exe/MyComputer filemanagement.

b. Run msconfig.exe, & stall out ANY apps you do NOT absolutely NEED to run (many malware start here in fact). If you do NOT know the name of the program & what it does? Look it up on GOOGLE... same with BHO's above in IE.

c. DOWNLOAD & INSTALL SpyBot 1.51x

d. DOWNLOAD (OPTIONAL - use ONLY if Spybot for example, cannot remove a malware) ComboFix (don't run it yet - there is no installer, it IS its own install + run package)

COMBOFIX MAY HAVE SOME "MINOR SIDE EFFECTS" though, & here are 3 I have noted, & HOW to fix them:

1.) IE homepage: No big deal to "fix this". You go to Start Button -> CONTROL PANEL (use CLASSIC VIEW, it's easier imo) -> Internet Options -> General Tab & HOMEPAGE (here is where you change that).

2.) System Time (rightclick on timeclock in lower righthand side of your screen, & from its POPUP menu, use the Date/Time tool)

3.) Desktop wallpaper (easy to fix: Rightclick on Desktop, use properties menu, & the desktop tab, change your background wallpaper there)

e. DOWNLOAD (OPTIONAL - use ONLY if Spybot for example, cannot remove a malware) SmitFraudFix (which also has its own LSP (layered service provider fix I have heard tell), BUT, againL Don't run it yet - as AGAIN -> there is no installer, it IS its own install + run package)

An alternate here, is LSPFix.exe...

----

4.) Clean out your rig, running SpyBot, first (most of the threats today are SPYWARE related, or TROJANS, more than std. typical traditional viruses by the way).

----

5.) Then, run ComboFix (this will reset your webbrowser homepage & background desktop wallpaper, you will have to reset these, & possibly your date/time clock in Windows too).

(OPTIONAL - use ONLY if Spybot for example, cannot remove a malware)

----

6.) Then, run SmitFraudFix (or, as an alternate, LSPFix)

(OPTIONAL - use ONLY if Spybot for example, cannot remove a malware)

----

7.) Reboot to "normal Windows" (no F8 stuff this round) - it MAY hesitate/be slower this bootup though, because SpyBot/ComboFix/SmitFraud do a 2nd look type check on bootup many times... so, be prepared for this part.

----

8.) Then, once in normal Windows again, scan with your AntiVirus solution (now fully updated hopefully & if not, do update it first & then scan).

Good suggested FREE one, is AVG AntiVirus (I suggest this one, because it is free + complete w/ mail protection too that's decent enough, & just in case your antivirus solution is expired... if it is not expired, update the one you use. Keeping another around for a "2nd Dr.'s Opinion" is NOT a bad idea, BUT: ONLY RUN 1 OF THEM, "resident" (meaning runnings its background application & file scanning engine, usually implemented as a service + trayicon app). IMO, NOD32 is the best performer all-around in terms of antivirus programs. av-comparatives & vb100 tend to 2nd me here as well.

* @ that point? You probably will have 'caught the culprits', OR, @ least have the name + location of any threats they could NOT eliminate... & here is where it gets REALLY "fun"...

==========

NOW, when you CAN'T remove a virus using "script kiddie automated tools" like those noted above (not putting them down calling them that because they ARE somebody's hard work & freely given time as well... but, they ARE that, because they're only automating what YOU can do, yourself, with other tools like msconfig/IE manage addons, & more tools like Process Explorer + regedit & explorer.exe (OR even Recovery Console) can allow YOU to do, yourself, albeit slower... the nice part about the automated killers like the tools I mention above, is that they operate FAR FASTER than human beings do).

ANYHOW - IF you can get its name, & location on disk say, via a report from AVG or other programs you use for this?

Boot your system from the OS install CD, & go to RECOVERY CONSOLE!

There, switch to the folder that houses it using CD (almost like DOS one, but uses .. ONLY, to switch to ancestor folder roots really (instead of \ etc. et al))!

Then, once you are in its folder, fry it then (nothing will be loading & thus, locking it, there) using the DEL command -> DEL filename.

****

It's THAT, or using Process Explorer in UserMode/Ring 3/RPL3 operation...

You would do a suspending the calling process via right click popup menu options for this it offers! Once the calling process is suspended (& many times, also the called or DLL injected library as well), you can delete ANY potential offending injected DLL/lib virus-trojan-spyware-malware being called by said parent process, on disk.

(This ia assuming this is a lib loaded virus/spyware/trojan/malware etc., not a standalone .exe type)

That's done via watching loaded DLL's that ANY app may have loaded presently (For that, you would have to use ProExp's CTRL+D keystroke shortcut, with the lower pane view present/visible, & set like that) IF there is one and this thing doesn't launch by itself from one of the registry RUN areas or startup groups that is...

Using Process Explorer can help!

(Again, especially if this is being run by "DLL Injection" (like an OLEServer being injected into a process via CLSIDs, shell extensions, or being run by rundll32.exe OR svchost.exe, process hosting executables that can spawn either .exe OR .dll/lib based ones)).

****

The easier/simpler route?

My first suggestion:

Use Recovery Console, once you have its name & location on disk... DEL command will take care of it, lickety-split, no-$heet.

APK

P.S.=> As to rootkits? The ONLY kind I know how to remove, is the bootsector originated type, & booting to RECOVERY CONSOLE is your pal here, once more: FixMBR &/or FixBoot are your buddies there in its commandset, as they repair the Master Boot Record (MBR) for NT-based OS'... other than bootsector started types? It's USUALLY recommended to "repave" (redo your setup, after backup of your personally created data)... apk

<blockquote data-quote="APK" data-source="post: 417212" data-attributes="member: 963">HOW TO REMOVE MALWARE (Virus/Trojans/Spyware &amp; some rootkits)HOW TO REMOVE MALWARE (Virus/Trojans/Spyware &amp; some rootkits)HOW TO REMOVE MALWARE - INTRODUCTION (using 110% free tools, OR ones you have in your OS already natively, to remove malware infestations of ANY kind HOW TO):NOW, after ALL of the above? IF you do find yourself &quot;infested&quot; though, one day??(Which is going to RARE (if @ all) - Usually, after the above set of steps you can use to secure yourselves, the ONLY way you usually can be reinfected, is to click &amp; run a bogus email attachment, OR, by turning on Javascript &amp; IFrames for instance! (or, allowing shockwave or a bum ActiveX control to run) OR, via a vulnerability in your applications OR Operating System that needs patching (I note this in the init. post of this thread in fact in this latter point now)).YES - It happens! Far more rarely than it had before (using a buddy of mine Jack as an example in fact - I chose him as a tester because he was nearly constantly infested is why &amp; this all worked for he, until he violated javascript usage rules I mentioned above).E.G.-&gt; I have had users violate that/those &quot;rule(s)&quot; from above &amp; that was how they were reinfected - BUT, one tester of mine DEFINITELY gets infected FAR LESS than he used to, by applying the above... this is certain!I.E.-&gt; I have had this setup running Windows Server 2003 (SP#2, fully hotfix patched &amp; hardened per the above as of this date) since early 2003, running &quot;110% bulletproof &amp; bugfree&quot; because of following the rules &amp; suggestions noted above!ANYHOW - Malware infested? TRY THIS SET OF TOOLS &amp; TECHNIQUES:How to clean yourself up? This &quot;toolkit&quot; &amp; process has helped me get thru over a 1,000 spyware/virus clean up calls, &amp; hopefully? It will yourself, as well, so... here goes:==========1.) Reboot your system to F8 @ startup &quot;Windows Advanced Options&quot; bootup menu that stops you during the boot sequence.----2.) There, choose &quot;safemode with networking&quot; (via the &quot;Windows Advanced Options&quot; menu you get presented with while tapping the F8 key repeatedly @ system startup).----3.) Once in safemode with networking Windows, download/install &amp; RUN these tools (they are not much to look at, BUT, they do work on MOST threats today &amp; get regularly updated):a. Run IE, use its TOOLS menu, Manage Addons Submenu, &amp; turn off ANY BHO etc. objects that you do NOT absolutely NEED, or know what they are (many malwares in the form of bogus toolbars or BHO (browser helper objects) often hide here).ALSO, GREAT NEW POINT EDITED IN NOW (01/13/2008) per Delightus14 @ Neowin forums: ALSO CLEAN OUT YOUR WEBBROWER CACHES &amp; %temp/tmp% temp. ops locations so no maladies exist there also awaiting re-awakening by accident You do this via Internet Explorer (using IE as an example, it is the same idea in Opera/FireFox/Netscape/Mozilla etc. too) via its Tools menu, Internet Options submenu, &amp; on IE options screen, use the &quot;Browsing History&quot; group in IE7, &amp; delete things as necessary from IE&#039;s browser caches etc. &amp; for OS + app level %temp% &amp; %tmp% environmental values&#039; areas? Type SET @ a DOS prompt to see where you located those, &amp; burn their contents via DEL commands, OR via explorer.exe/MyComputer filemanagement.b. Run msconfig.exe, &amp; stall out ANY apps you do NOT absolutely NEED to run (many malware start here in fact). If you do NOT know the name of the program &amp; what it does? Look it up on GOOGLE... same with BHO&#039;s above in IE.c. DOWNLOAD &amp; INSTALL SpyBot 1.51xd. DOWNLOAD (OPTIONAL - use ONLY if Spybot for example, cannot remove a malware) ComboFix (don&#039;t run it yet - there is no installer, it IS its own install + run package)COMBOFIX MAY HAVE SOME &quot;MINOR SIDE EFFECTS&quot; though, &amp; here are 3 I have noted, &amp; HOW to fix them:1.) IE homepage: No big deal to &quot;fix this&quot;. You go to Start Button -&gt; CONTROL PANEL (use CLASSIC VIEW, it&#039;s easier imo) -&gt; Internet Options -&gt; General Tab &amp; HOMEPAGE (here is where you change that).2.) System Time (rightclick on timeclock in lower righthand side of your screen, &amp; from its POPUP menu, use the Date/Time tool)3.) Desktop wallpaper (easy to fix: Rightclick on Desktop, use properties menu, &amp; the desktop tab, change your background wallpaper there)e. DOWNLOAD (OPTIONAL - use ONLY if Spybot for example, cannot remove a malware) SmitFraudFix (which also has its own LSP (layered service provider fix I have heard tell), BUT, againL&nbsp; Don&#039;t run it yet - as AGAIN -&gt; there is no installer, it IS its own install + run package)An alternate here, is LSPFix.exe... ----4.) Clean out your rig, running SpyBot, first (most of the threats today are SPYWARE related, or TROJANS, more than std. typical traditional viruses by the way).----5.) Then, run ComboFix (this will reset your webbrowser homepage &amp; background desktop wallpaper, you will have to reset these, &amp; possibly your date/time clock in Windows too).(OPTIONAL - use ONLY if Spybot for example, cannot remove a malware)----6.) Then, run SmitFraudFix (or, as an alternate, LSPFix)(OPTIONAL - use ONLY if Spybot for example, cannot remove a malware)----7.) Reboot to &quot;normal Windows&quot; (no F8 stuff this round) - it MAY hesitate/be slower this bootup though, because SpyBot/ComboFix/SmitFraud do a 2nd look type check on bootup many times... so, be prepared for this part.----8.) Then, once in normal Windows again, scan with your AntiVirus solution (now fully updated hopefully &amp; if not, do update it first &amp; then scan).Good suggested FREE one, is AVG AntiVirus (I suggest this one, because it is free + complete w/ mail protection too that&#039;s decent enough, &amp; just in case your antivirus solution is expired... if it is not expired, update the one you use. Keeping another around for a &quot;2nd Dr.&#039;s Opinion&quot; is NOT a bad idea, BUT: ONLY RUN 1 OF THEM, &quot;resident&quot; (meaning runnings its background application &amp; file scanning engine, usually implemented as a service + trayicon app). IMO, NOD32 is the best performer all-around in terms of antivirus programs. av-comparatives &amp; vb100 tend to 2nd me here as well.* @ that point? You probably will have &#039;caught the culprits&#039;, OR, @ least have the name + location of any threats they could NOT eliminate... &amp; here is where it gets REALLY &quot;fun&quot;...==========NOW, when you CAN&#039;T remove a virus using &quot;script kiddie automated tools&quot; like those noted above (not putting them down calling them that because they ARE somebody&#039;s hard work &amp; freely given time as well... but, they ARE that, because they&#039;re only automating what YOU can do, yourself, with other tools like msconfig/IE manage addons, &amp; more tools like Process Explorer + regedit &amp; explorer.exe (OR even Recovery Console) can allow YOU to do, yourself, albeit slower... the nice part about the automated killers like the tools I mention above, is that they operate FAR FASTER than human beings do).ANYHOW - IF you can get its name, &amp; location on disk say, via a report from AVG or other programs you use for this? Boot your system from the OS install CD, &amp; go to RECOVERY CONSOLE!There, switch to the folder that houses it using CD (almost like DOS one, but uses .. ONLY, to switch to ancestor folder roots really (instead of \ etc. et al))!Then, once you are in its folder, fry it then (nothing will be loading &amp; thus, locking it, there) using the DEL command -&gt; DEL filename.****It&#039;s THAT, or using Process Explorer in UserMode/Ring 3/RPL3 operation...You would do a suspending the calling process via right click popup menu options for this it offers! Once the calling process is suspended (&amp; many times, also the called or DLL injected library as well), you can delete ANY potential offending injected DLL/lib virus-trojan-spyware-malware being called by said parent process, on disk.(This ia assuming this is a lib loaded virus/spyware/trojan/malware etc., not a standalone .exe type)That&#039;s done via watching loaded DLL&#039;s that ANY app may have loaded presently (For that, you would have to use ProExp&#039;s CTRL+D keystroke shortcut, with the lower pane view present/visible, &amp; set like that) IF there is one and this thing doesn&#039;t launch by itself from one of the registry RUN areas or startup groups that is...Using Process Explorer can help!(Again, especially if this is being run by &quot;DLL Injection&quot; (like an OLEServer being injected into a process via CLSIDs, shell extensions, or being run by rundll32.exe OR svchost.exe, process hosting executables that can spawn either .exe OR .dll/lib based ones)).****The easier/simpler route?My first suggestion:Use Recovery Console, once you have its name &amp; location on disk... DEL command will take care of it, lickety-split, no-$heet.APKP.S.=&gt; As to rootkits? The ONLY kind I know how to remove, is the bootsector originated type, &amp; booting to RECOVERY CONSOLE is your pal here, once more: FixMBR &amp;/or FixBoot are your buddies there in its commandset, as they repair the Master Boot Record (MBR) for NT-based OS&#039;... other than bootsector started types? It&#039;s USUALLY recommended to &quot;repave&quot; (redo your setup, after backup of your personally created data)... apk</blockquote>

[QUOTE="APK, post: 417212, member: 963"] [b]HOW TO REMOVE MALWARE (Virus/Trojans/Spyware & some rootkits)[/b] HOW TO REMOVE MALWARE (Virus/Trojans/Spyware & some rootkits) [b]HOW TO REMOVE MALWARE - INTRODUCTION (using 110% free tools, OR ones you have in your OS already natively, to remove malware infestations of ANY kind HOW TO):[/b] NOW, after ALL of the above? IF you do find yourself "infested" though, one day?? (Which is going to RARE (if @ all) - Usually, after the above set of steps you can use to secure yourselves, the ONLY way you usually can be reinfected, is to click & run a bogus email attachment, OR, by turning on Javascript & IFrames for instance! (or, allowing shockwave or a bum ActiveX control to run) OR, via a vulnerability in your applications OR Operating System that needs patching (I note this in the init. post of this thread in fact in this latter point now)). YES - It happens! Far more rarely than it had before (using a buddy of mine Jack as an example in fact - I chose him as a tester because he was nearly constantly infested is why & this all worked for he, until he violated javascript usage rules I mentioned above). E.G.-> I have had users violate that/those "rule(s)" from above & that was how they were reinfected - BUT, one tester of mine DEFINITELY gets infected FAR LESS than he used to, by applying the above... this is certain! I.E.-> I have had this setup running Windows Server 2003 (SP#2, fully hotfix patched & hardened per the above as of this date) since early 2003, running "110% bulletproof & bugfree" because of following the rules & suggestions noted above! [b]ANYHOW - Malware infested? TRY THIS SET OF TOOLS & TECHNIQUES:[/b] How to clean yourself up? This "toolkit" & process has helped me get thru over a 1,000 spyware/virus clean up calls, & hopefully? It will yourself, as well, so... here goes: ========== [b]1.) [/b]Reboot your system to F8 @ startup "Windows Advanced Options" bootup menu that stops you during the boot sequence. ---- [b]2.) [/b] There, choose "safemode with networking" (via the "Windows Advanced Options" menu you get presented with while tapping the F8 key repeatedly @ system startup). ---- [b]3.) [/b] Once in safemode with networking Windows, download/install & RUN these tools (they are not much to look at, BUT, they do work on MOST threats today & get regularly updated): [b]a. [/b] Run IE, use its TOOLS menu, Manage Addons Submenu, & turn off ANY BHO etc. objects that you do NOT absolutely NEED, or know what they are (many malwares in the form of bogus toolbars or BHO (browser helper objects) often hide here). [b]ALSO, GREAT NEW POINT EDITED IN NOW (01/13/2008) per Delightus14 @ Neowin forums: ALSO CLEAN OUT YOUR WEBBROWER CACHES & %temp/tmp% temp. ops locations so no maladies exist there also awaiting re-awakening by accident[/b] You do this via Internet Explorer (using IE as an example, it is the same idea in Opera/FireFox/Netscape/Mozilla etc. too) via its Tools menu, Internet Options submenu, & on IE options screen, use the "Browsing History" group in IE7, & delete things as necessary from IE's browser caches etc. & for OS + app level %temp% & %tmp% environmental values' areas? Type SET @ a DOS prompt to see where you located those, & burn their contents via DEL commands, OR via explorer.exe/MyComputer filemanagement. [b]b. [/b] Run msconfig.exe, & stall out ANY apps you do NOT absolutely NEED to run (many malware start here in fact). If you do NOT know the name of the program & what it does? Look it up on GOOGLE... same with BHO's above in IE. [b]c. [/b] DOWNLOAD & INSTALL SpyBot 1.51x [b]d. [/b] DOWNLOAD (OPTIONAL - use ONLY if Spybot for example, cannot remove a malware) ComboFix (don't run it yet - there is no installer, it IS its own install + run package) [b]COMBOFIX MAY HAVE SOME "MINOR SIDE EFFECTS" though, & here are 3 I have noted, & HOW to fix them:[/b] [b]1.) IE homepage:[/b] No big deal to "fix this". You go to Start Button -> CONTROL PANEL (use CLASSIC VIEW, it's easier imo) -> Internet Options -> General Tab & HOMEPAGE (here is where you change that). [b]2.) System Time[/b] (rightclick on timeclock in lower righthand side of your screen, & from its POPUP menu, use the Date/Time tool) [b]3.) Desktop wallpaper[/b] (easy to fix: Rightclick on Desktop, use properties menu, & the desktop tab, change your background wallpaper there) [b]e. [/b] DOWNLOAD (OPTIONAL - use ONLY if Spybot for example, cannot remove a malware) SmitFraudFix (which also has its own LSP (layered service provider fix I have heard tell), BUT, againL Don't run it yet - as AGAIN -> there is no installer, it IS its own install + run package) An alternate here, is LSPFix.exe... ---- [b]4.) [/b] Clean out your rig, running SpyBot, first (most of the threats today are SPYWARE related, or TROJANS, more than std. typical traditional viruses by the way). ---- [b]5.) [/b] Then, run ComboFix (this will reset your webbrowser homepage & background desktop wallpaper, you will have to reset these, & possibly your date/time clock in Windows too). (OPTIONAL - use ONLY if Spybot for example, cannot remove a malware) ---- [b]6.) [/b] Then, run SmitFraudFix (or, as an alternate, LSPFix) (OPTIONAL - use ONLY if Spybot for example, cannot remove a malware) ---- [b]7.) [/b] Reboot to "normal Windows" (no F8 stuff this round) - it MAY hesitate/be slower this bootup though, because SpyBot/ComboFix/SmitFraud do a 2nd look type check on bootup many times... so, be prepared for this part. ---- [b]8.) [/b] Then, once in normal Windows again, scan with your AntiVirus solution (now fully updated hopefully & if not, do update it first & then scan). Good suggested FREE one, is AVG AntiVirus (I suggest this one, because it is free + complete w/ mail protection too that's decent enough, & just in case your antivirus solution is expired... if it is not expired, update the one you use. Keeping another around for a "2nd Dr.'s Opinion" is NOT a bad idea, BUT: ONLY RUN 1 OF THEM, "resident" (meaning runnings its background application & file scanning engine, usually implemented as a service + trayicon app). IMO, NOD32 is the best performer all-around in terms of antivirus programs. av-comparatives & vb100 tend to 2nd me here as well. * @ that point? You probably will have 'caught the culprits', OR, @ least have the name + location of any threats they could NOT eliminate... & here is where it gets REALLY "fun"... ========== [b]NOW, when you CAN'T remove a virus[/b] using "script kiddie automated tools" like those noted above (not putting them down calling them that because they ARE somebody's hard work & freely given time as well... but, they ARE that, because they're only automating what YOU can do, yourself, with other tools like msconfig/IE manage addons, & more tools like Process Explorer + regedit & explorer.exe (OR even Recovery Console) can allow YOU to do, yourself, albeit slower... the nice part about the automated killers like the tools I mention above, is that they operate FAR FASTER than human beings do). ANYHOW - IF you can get its name, & location on disk say, via a report from AVG or other programs you use for this? [b]Boot your system from the OS install CD, & go to RECOVERY CONSOLE![/b] There, switch to the folder that houses it using CD (almost like DOS one, but uses .. ONLY, to switch to ancestor folder roots really (instead of \ etc. et al))! Then, once you are in its folder, fry it then (nothing will be loading & thus, locking it, there) using the DEL command -> DEL filename. **** [b]It's THAT, or using Process Explorer in UserMode/Ring 3/RPL3 operation...[/b] You would do a suspending the calling process via right click popup menu options for this it offers! Once the calling process is suspended (& many times, also the called or DLL injected library as well), you can delete ANY potential offending injected DLL/lib virus-trojan-spyware-malware being called by said parent process, on disk. (This ia assuming this is a lib loaded virus/spyware/trojan/malware etc., not a standalone .exe type) That's done via watching loaded DLL's that ANY app may have loaded presently (For that, you would have to use ProExp's CTRL+D keystroke shortcut, with the lower pane view present/visible, & set like that) IF there is one and this thing doesn't launch by itself from one of the registry RUN areas or startup groups that is... Using Process Explorer can help! (Again, especially if this is being run by "DLL Injection" (like an OLEServer being injected into a process via CLSIDs, shell extensions, or being run by rundll32.exe OR svchost.exe, process hosting executables that can spawn either .exe OR .dll/lib based ones)). **** [b]The easier/simpler route? My first suggestion:[/b] Use Recovery Console, once you have its name & location on disk... DEL command will take care of it, lickety-split, no-$heet. APK P.S.=> As to rootkits? The ONLY kind I know how to remove, is the bootsector originated type, & booting to RECOVERY CONSOLE is your pal here, once more: FixMBR &/or FixBoot are your buddies there in its commandset, as they repair the Master Boot Record (MBR) for NT-based OS'... other than bootsector started types? It's USUALLY recommended to "repave" (redo your setup, after backup of your personally created data)... apk [/QUOTE]

Verification

This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.

Accept Learn more…

Back

Top